CVE-2026-46612
HIGHFission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives
Title source: cnaDescription
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP — including any other workload in the same Kubernetes cluster — could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/fission/fission/security/advisories/GHSA-chf8-4hv6-8pg6
X_Refsource_Misc x_refsource_misc
https://github.com/fission/fission/pull/3365
X_Refsource_Misc x_refsource_misc
https://github.com/fission/fission/pull/3368
X_Refsource_Misc x_refsource_misc
https://github.com/fission/fission/releases/tag/v1.23.0
Scores
CVSS v3
8.8
EPSS
0.0034
EPSS Percentile
26.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (2)
fission/fission
0 - 1.23.0Go
fission/fission
< 1.23.0
Published
Jun 10, 2026
Tracked Since
Jun 11, 2026